<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Archive of security issues &mdash; Django 1.7.8.dev20150401230226 documentation</title>
    
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.7.8.dev20150401230226',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="top" title="Django 1.7.8.dev20150401230226 documentation" href="../index.html" />
    <link rel="up" title="Release notes" href="index.html" />
    <link rel="next" title="Django internals" href="../internals/index.html" />
    <link rel="prev" title="Django version 0.95 release notes" href="0.95.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head>
  <body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="0.95.html" title="Django version 0.95 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="../internals/index.html" title="Django internals">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-security">
            
  <div class="section" id="s-archive-of-security-issues">
<span id="s-security-releases"></span><span id="archive-of-security-issues"></span><span id="security-releases"></span><h1>Archive of security issues<a class="headerlink" href="#archive-of-security-issues" title="Permalink to this headline">¶</a></h1>
<p>Django&#8217;s development team is strongly committed to responsible
reporting and disclosure of security-related issues, as outlined in
<a class="reference internal" href="../internals/security.html"><em>Django&#8217;s security policies</em></a>.</p>
<p>As part of that commitment, we maintain the following historical list
of issues which have been fixed and disclosed. For each issue, the
list below includes the date, a brief description, the <a class="reference external" href="http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures">CVE identifier</a>
if applicable, a list of affected versions, a link to the full
disclosure and links to the appropriate patch(es).</p>
<p>Some important caveats apply to this information:</p>
<ul class="simple">
<li>Lists of affected versions include only those versions of Django
which had stable, security-supported releases at the time of
disclosure. This means older versions (whose security support had
expired) and versions which were in pre-release (alpha/beta/RC)
states at the time of disclosure may have been affected, but are not
listed.</li>
<li>The Django project has on occasion issued security advisories,
pointing out potential security problems which can arise from
improper configuration or from other issues outside of Django
itself. Some of these advisories have received CVEs; when that is
the case, they are listed here, but as they have no accompanying
patches or releases, only the description, disclosure and CVE will
be listed.</li>
</ul>
<div class="section" id="s-issues-prior-to-django-s-security-process">
<span id="issues-prior-to-django-s-security-process"></span><h2>Issues prior to Django&#8217;s security process<a class="headerlink" href="#issues-prior-to-django-s-security-process" title="Permalink to this headline">¶</a></h2>
<p>Some security issues were handled before Django had a formalized
security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned.</p>
<div class="section" id="s-august-16-2006-cve-2007-0404">
<span id="august-16-2006-cve-2007-0404"></span><h3>August 16, 2006 - CVE-2007-0404<a class="headerlink" href="#august-16-2006-cve-2007-0404" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&amp;cid=3">CVE-2007-0404</a>: Filename validation issue in translation framework. <a class="reference external" href="https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/">Full description</a></p>
<div class="section" id="s-versions-affected">
<span id="versions-affected"></span><h4>Versions affected<a class="headerlink" href="#versions-affected" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.90 <a class="reference external" href="https://github.com/django/django/commit/518d406e53">(patch)</a></li>
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/518d406e53">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/a132d411c6">(patch)</a> (released January 21 2007)</li>
</ul>
</div>
</div>
<div class="section" id="s-january-21-2007-cve-2007-0405">
<span id="january-21-2007-cve-2007-0405"></span><h3>January 21, 2007 - CVE-2007-0405<a class="headerlink" href="#january-21-2007-cve-2007-0405" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&amp;cid=3">CVE-2007-0405</a>: Apparent &#8220;caching&#8221; of authenticated user. <a class="reference external" href="https://www.djangoproject.com/weblog/2007/jan/21/0951/">Full description</a></p>
<div class="section" id="s-id1">
<span id="id1"></span><h4>Versions affected<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/e89f0a6558">(patch)</a></li>
</ul>
</div>
</div>
</div>
<div class="section" id="s-issues-under-django-s-security-process">
<span id="issues-under-django-s-security-process"></span><h2>Issues under Django&#8217;s security process<a class="headerlink" href="#issues-under-django-s-security-process" title="Permalink to this headline">¶</a></h2>
<p>All other security issues have been handled under versions of Django&#8217;s
security process. These are listed below.</p>
<div class="section" id="s-october-26-2007-cve-2007-5712">
<span id="october-26-2007-cve-2007-5712"></span><h3>October 26, 2007 - CVE-2007-5712<a class="headerlink" href="#october-26-2007-cve-2007-5712" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&amp;cid=3">CVE-2007-5712</a>: Denial-of-service via arbitrarily-large <tt class="docutils literal"><span class="pre">Accept-Language</span></tt> header. <a class="reference external" href="https://www.djangoproject.com/weblog/2007/oct/26/security-fix/">Full description</a></p>
<div class="section" id="s-id2">
<span id="id2"></span><h4>Versions affected<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-14-2008-cve-2008-2302">
<span id="may-14-2008-cve-2008-2302"></span><h3>May 14, 2008 - CVE-2008-2302<a class="headerlink" href="#may-14-2008-cve-2008-2302" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&amp;cid=3">CVE-2008-2302</a>: XSS via admin login redirect. <a class="reference external" href="https://www.djangoproject.com/weblog/2008/may/14/security/">Full description</a></p>
<div class="section" id="s-id3">
<span id="id3"></span><h4>Versions affected<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/50ce7fb57d">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/50ce7fb57d">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7791e5c050">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-2-2008-cve-2008-3909">
<span id="september-2-2008-cve-2008-3909"></span><h3>September 2, 2008 - CVE-2008-3909<a class="headerlink" href="#september-2-2008-cve-2008-3909" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&amp;cid=3">CVE-2008-3909</a>: CSRF via preservation of POST data during admin login. <a class="reference external" href="https://www.djangoproject.com/weblog/2008/sep/02/security/">Full description</a></p>
<div class="section" id="s-id4">
<span id="id4"></span><h4>Versions affected<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.91 <a class="reference external" href="https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752">(patch)</a></li>
<li>Django 0.95 <a class="reference external" href="https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81">(patch)</a></li>
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-28-2009-cve-2009-2659">
<span id="july-28-2009-cve-2009-2659"></span><h3>July 28, 2009 - CVE-2009-2659<a class="headerlink" href="#july-28-2009-cve-2009-2659" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&amp;cid=3">CVE-2009-2659</a>: Directory-traversal in development server media handler. <a class="reference external" href="https://www.djangoproject.com/weblog/2009/jul/28/security/">Full description</a></p>
<div class="section" id="s-id5">
<span id="id5"></span><h4>Versions affected<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 0.96 <a class="reference external" href="https://github.com/django/django/commit/da85d76fd6">(patch)</a></li>
<li>Django 1.0 <a class="reference external" href="https://github.com/django/django/commit/df7f917b7f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-9-2009-cve-2009-3965">
<span id="october-9-2009-cve-2009-3965"></span><h3>October 9, 2009 - CVE-2009-3965<a class="headerlink" href="#october-9-2009-cve-2009-3965" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&amp;cid=3">CVE-2009-3965</a>: Denial-of-service via pathological regular expression performance. <a class="reference external" href="https://www.djangoproject.com/weblog/2009/oct/09/security/">Full description</a></p>
<div class="section" id="s-id6">
<span id="id6"></span><h4>Versions affected<a class="headerlink" href="#id6" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.0 <a class="reference external" href="https://github.com/django/django/commit/594a28a904">(patch)</a></li>
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/e3e992e18b">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-8-2010-cve-2010-3082">
<span id="september-8-2010-cve-2010-3082"></span><h3>September 8, 2010 - CVE-2010-3082<a class="headerlink" href="#september-8-2010-cve-2010-3082" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&amp;cid=3">CVE-2010-3082</a>: XSS via trusting unsafe cookie value. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/sep/08/security-release/">Full description</a></p>
<div class="section" id="s-id7">
<span id="id7"></span><h4>Versions affected<a class="headerlink" href="#id7" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/7f84657b6b">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-22-2010-cve-2010-4534">
<span id="december-22-2010-cve-2010-4534"></span><h3>December 22, 2010 - CVE-2010-4534<a class="headerlink" href="#december-22-2010-cve-2010-4534" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&amp;cid=3">CVE-2010-4534</a>: Information leakage in administrative interface. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/dec/22/security/">Full description</a></p>
<div class="section" id="s-id8">
<span id="id8"></span><h4>Versions affected<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/17084839fd">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/85207a245b">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-22-2010-cve-2010-4535">
<span id="december-22-2010-cve-2010-4535"></span><h3>December 22, 2010 - CVE-2010-4535<a class="headerlink" href="#december-22-2010-cve-2010-4535" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&amp;cid=2">CVE-2010-4535</a>: Denial-of-service in password-reset mechanism. <a class="reference external" href="https://www.djangoproject.com/weblog/2010/dec/22/security/">Full description</a></p>
<div class="section" id="s-id9">
<span id="id9"></span><h4>Versions affected<a class="headerlink" href="#id9" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/7f8dd9cbac">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/d5d8942a16">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0696">
<span id="february-8-2011-cve-2011-0696"></span><h3>February 8, 2011 - CVE-2011-0696<a class="headerlink" href="#february-8-2011-cve-2011-0696" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&amp;cid=2">CVE-2011-0696</a>: CSRF via forged HTTP headers. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full description</a></p>
<div class="section" id="s-id10">
<span id="id10"></span><h4>Versions affected<a class="headerlink" href="#id10" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/408c5c873c">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/818e70344e">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0697">
<span id="february-8-2011-cve-2011-0697"></span><h3>February 8, 2011 - CVE-2011-0697<a class="headerlink" href="#february-8-2011-cve-2011-0697" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&amp;cid=2">CVE-2011-0697</a>: XSS via unsanitized names of uploaded files. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full description</a></p>
<div class="section" id="s-id11">
<span id="id11"></span><h4>Versions affected<a class="headerlink" href="#id11" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/1966786d2d">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/1f814a9547">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-8-2011-cve-2011-0698">
<span id="february-8-2011-cve-2011-0698"></span><h3>February 8, 2011 - CVE-2011-0698<a class="headerlink" href="#february-8-2011-cve-2011-0698" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&amp;cid=2">CVE-2011-0698</a>: Directory-traversal on Windows via incorrect path-separator handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/feb/08/security/">Full description</a></p>
<div class="section" id="s-id12">
<span id="id12"></span><h4>Versions affected<a class="headerlink" href="#id12" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.1 <a class="reference external" href="https://github.com/django/django/commit/570a32a047">(patch)</a></li>
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/194566480b">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4136">
<span id="september-9-2011-cve-2011-4136"></span><h3>September 9, 2011 - CVE-2011-4136<a class="headerlink" href="#september-9-2011-cve-2011-4136" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&amp;cid=2">CVE-2011-4136</a>: Session manipulation when using memory-cache-backed session. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id13">
<span id="id13"></span><h4>Versions affected<a class="headerlink" href="#id13" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/ac7c3a110f">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/fbe2eead2f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4137">
<span id="september-9-2011-cve-2011-4137"></span><h3>September 9, 2011 - CVE-2011-4137<a class="headerlink" href="#september-9-2011-cve-2011-4137" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&amp;cid=2">CVE-2011-4137</a>: Denial-of-service via via <tt class="docutils literal"><span class="pre">URLField.verify_exists</span></tt>. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id14">
<span id="id14"></span><h4>Versions affected<a class="headerlink" href="#id14" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/7268f8af86">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/1a76dbefdf">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4138">
<span id="september-9-2011-cve-2011-4138"></span><h3>September 9, 2011 - CVE-2011-4138<a class="headerlink" href="#september-9-2011-cve-2011-4138" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&amp;cid=2">CVE-2011-4138</a>: Information leakage/arbitrary request issuance via <tt class="docutils literal"><span class="pre">URLField.verify_exists</span></tt>. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id15">
<span id="id15"></span><h4>Versions affected<a class="headerlink" href="#id15" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.2: <a class="reference external" href="https://github.com/django/django/commit/7268f8af86">(patch)</a></li>
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/1a76dbefdf">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4139">
<span id="september-9-2011-cve-2011-4139"></span><h3>September 9, 2011 - CVE-2011-4139<a class="headerlink" href="#september-9-2011-cve-2011-4139" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&amp;cid=2">CVE-2011-4139</a>: <tt class="docutils literal"><span class="pre">Host</span></tt> header cache poisoning. <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id16">
<span id="id16"></span><h4>Versions affected<a class="headerlink" href="#id16" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.2 <a class="reference external" href="https://github.com/django/django/commit/c613af4d64">(patch)</a></li>
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/2f7fadc38e">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-9-2011-cve-2011-4140">
<span id="september-9-2011-cve-2011-4140"></span><h3>September 9, 2011 - CVE-2011-4140<a class="headerlink" href="#september-9-2011-cve-2011-4140" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4140&amp;cid=2">CVE-2011-4140</a>: Potential CSRF via <tt class="docutils literal"><span class="pre">Host</span></tt> header.  <a class="reference external" href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id17">
<span id="id17"></span><h4>Versions affected<a class="headerlink" href="#id17" title="Permalink to this headline">¶</a></h4>
<p>This notification was an advisory only, so no patches were issued.</p>
<ul class="simple">
<li>Django 1.2</li>
<li>Django 1.3</li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3442">
<span id="july-30-2012-cve-2012-3442"></span><h3>July 30, 2012 - CVE-2012-3442<a class="headerlink" href="#july-30-2012-cve-2012-3442" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3442&amp;cid=2">CVE-2012-3442</a>: XSS via failure to validate redirect scheme. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id18">
<span id="id18"></span><h4>Versions affected<a class="headerlink" href="#id18" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/e34685034b60be1112160e76091e5aee60149fa1">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3443">
<span id="july-30-2012-cve-2012-3443"></span><h3>July 30, 2012 - CVE-2012-3443<a class="headerlink" href="#july-30-2012-cve-2012-3443" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3443&amp;cid=2">CVE-2012-3443</a>: Denial-of-service via compressed image files. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id19">
<span id="id19"></span><h4>Versions affected<a class="headerlink" href="#id19" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/c14f325c4eef628bc7bfd8873c3a72aeb0219141">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-july-30-2012-cve-2012-3444">
<span id="july-30-2012-cve-2012-3444"></span><h3>July 30, 2012 - CVE-2012-3444<a class="headerlink" href="#july-30-2012-cve-2012-3444" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3444&amp;cid=2">CVE-2012-3444</a>: Denial-of-service via large image files. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id20">
<span id="id20"></span><h4>Versions affected<a class="headerlink" href="#id20" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/da33d67181b53fe6cc737ac1220153814a1509f6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-october-17-2012-cve-2012-4520">
<span id="october-17-2012-cve-2012-4520"></span><h3>October 17, 2012 - CVE-2012-4520<a class="headerlink" href="#october-17-2012-cve-2012-4520" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4520&amp;cid=2">CVE-2012-4520</a>: <tt class="docutils literal"><span class="pre">Host</span></tt> header poisoning. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/oct/17/security/">Full description</a></p>
<div class="section" id="s-id21">
<span id="id21"></span><h4>Versions affected<a class="headerlink" href="#id21" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-10-2012-no-cve-1">
<span id="december-10-2012-no-cve-1"></span><h3>December 10, 2012 - No CVE 1<a class="headerlink" href="#december-10-2012-no-cve-1" title="Permalink to this headline">¶</a></h3>
<p>Additional hardening of <tt class="docutils literal"><span class="pre">Host</span></tt> header handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/dec/10/security/">Full description</a></p>
<div class="section" id="s-id22">
<span id="id22"></span><h4>Versions affected<a class="headerlink" href="#id22" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/319627c184e71ae267d6b7f000e293168c7b6e09">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-december-10-2012-no-cve-2">
<span id="december-10-2012-no-cve-2"></span><h3>December 10, 2012 - No CVE 2<a class="headerlink" href="#december-10-2012-no-cve-2" title="Permalink to this headline">¶</a></h3>
<p>Additional hardening of redirect validation. <a class="reference external" href="https://www.djangoproject.com/weblog/2012/dec/10/security/">Full description</a></p>
<div class="section" id="s-id23">
<span id="id23"></span><h4>Versions affected<a class="headerlink" href="#id23" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3: <a class="reference external" href="https://github.com/django/django/commit/1515eb46daa0897ba5ad5f0a2db8969255f1b343">(patch)</a></li>
<li>Django 1.4: <a class="reference external" href="https://github.com/django/django/commit/b2ae0a63aeec741f1e51bac9a95a27fd635f9652">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-no-cve">
<span id="february-19-2013-no-cve"></span><h3>February 19, 2013 - No CVE<a class="headerlink" href="#february-19-2013-no-cve" title="Permalink to this headline">¶</a></h3>
<p>Additional hardening of <tt class="docutils literal"><span class="pre">Host</span></tt> header handling. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id24">
<span id="id24"></span><h4>Versions affected<a class="headerlink" href="#id24" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/27cd872e6e36a81d0bb6f5b8765a1705fecfc253">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/9936fdb11d0bbf0bd242f259bfb97bbf849d16f8">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-1664-1665">
<span id="february-19-2013-cve-2013-1664-1665"></span><h3>February 19, 2013 - CVE-2013-1664/1665<a class="headerlink" href="#february-19-2013-cve-2013-1664-1665" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1664&amp;cid=2">CVE-2013-1664</a> and <a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1665&amp;cid=2">CVE-2013-1665</a>: Entity-based attacks against Python XML libraries. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id25">
<span id="id25"></span><h4>Versions affected<a class="headerlink" href="#id25" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-0305">
<span id="february-19-2013-cve-2013-0305"></span><h3>February 19, 2013 - CVE-2013-0305<a class="headerlink" href="#february-19-2013-cve-2013-0305" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0305&amp;cid=2">CVE-2013-0305</a>: Information leakage via admin history log.  <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id26">
<span id="id26"></span><h4>Versions affected<a class="headerlink" href="#id26" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d3a45e10c8ac8268899999129daa27652ec0da35">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/0e7861aec73702f7933ce2a93056f7983939f0d6">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-february-19-2013-cve-2013-0306">
<span id="february-19-2013-cve-2013-0306"></span><h3>February 19, 2013 - CVE-2013-0306<a class="headerlink" href="#february-19-2013-cve-2013-0306" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0306&amp;cid=2">CVE-2013-0306</a>: Denial-of-service via formset <tt class="docutils literal"><span class="pre">max_num</span></tt> bypass. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/feb/19/security/">Full description</a></p>
<div class="section" id="s-id27">
<span id="id27"></span><h4>Versions affected<a class="headerlink" href="#id27" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.3 <a class="reference external" href="https://github.com/django/django/commit/d7094bbce8cb838f3b40f504f198c098ff1cf727">(patch)</a></li>
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/0cc350a896f70ace18280410eb616a9197d862b0">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-13-2013-awaiting-cve-1">
<span id="august-13-2013-awaiting-cve-1"></span><h3>August 13, 2013 - Awaiting CVE 1<a class="headerlink" href="#august-13-2013-awaiting-cve-1" title="Permalink to this headline">¶</a></h3>
<p>(CVE not yet issued): XSS via admin trusting <tt class="docutils literal"><span class="pre">URLField</span></tt> values. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id28">
<span id="id28"></span><h4>Versions affected<a class="headerlink" href="#id28" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/90363e388c61874add3f3557ee654a996ec75d78">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-13-2013-awaiting-cve-2">
<span id="august-13-2013-awaiting-cve-2"></span><h3>August 13, 2013 - Awaiting CVE 2<a class="headerlink" href="#august-13-2013-awaiting-cve-2" title="Permalink to this headline">¶</a></h3>
<p>(CVE not yet issued): Possible XSS via unvalidated URL redirect schemes. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id29">
<span id="id29"></span><h4>Versions affected<a class="headerlink" href="#id29" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-10-2013-cve-2013-4315">
<span id="september-10-2013-cve-2013-4315"></span><h3>September 10, 2013 - CVE-2013-4315<a class="headerlink" href="#september-10-2013-cve-2013-4315" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4315&amp;cid=2">CVE-2013-4315</a> Directory-traversal via <tt class="docutils literal"><span class="pre">ssi</span></tt> template tag. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id30">
<span id="id30"></span><h4>Versions affected<a class="headerlink" href="#id30" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/87d2750b39f6f2d54b7047225521a44dcd37e896">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/988b61c550d798f9a66d17ee0511fb7a9a7f33ca">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-september-14-2013-cve-2013-1443">
<span id="september-14-2013-cve-2013-1443"></span><h3>September 14, 2013 - CVE-2013-1443<a class="headerlink" href="#september-14-2013-cve-2013-1443" title="Permalink to this headline">¶</a></h3>
<p>CVE-2013-1443: Denial-of-service via large passwords. <a class="reference external" href="https://www.djangoproject.com/weblog/2013/sep/15/security/">Full description</a></p>
<div class="section" id="s-id31">
<span id="id31"></span><h4>Versions affected<a class="headerlink" href="#id31" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/3f3d887a6844ec2db743fee64c9e53e04d39a368">(patch</a> and <a class="reference external" href="https://github.com/django/django/commit/6903d1690a92aa040adfb0c8eb37cf62e4206714">Python compatibility fix)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/22b74fa09d7ccbc8c52270d648a0da7f3f0fa2bc">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0472">
<span id="april-21-2014-cve-2014-0472"></span><h3>April 21, 2014 - CVE-2014-0472<a class="headerlink" href="#april-21-2014-cve-2014-0472" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0472&amp;cid=2">CVE-2014-0472</a>: Unexpected code execution using <tt class="docutils literal"><span class="pre">reverse()</span></tt>. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id32">
<span id="id32"></span><h4>Versions affected<a class="headerlink" href="#id32" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/546740544d7f69254a67b06a3fc7fa0c43512958">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0473">
<span id="april-21-2014-cve-2014-0473"></span><h3>April 21, 2014 - CVE-2014-0473<a class="headerlink" href="#april-21-2014-cve-2014-0473" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0473&amp;cid=2">CVE-2014-0473</a>: Caching of anonymous pages could reveal CSRF token. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id33">
<span id="id33"></span><h4>Versions affected<a class="headerlink" href="#id33" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/1170f285ddd6a94a65f911a27788ba49ca08c0b0">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/6872f42757d7ef6a97e0b6ec5db4d2615d8a2bd8">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/d63e20942f3024f24cb8cd85a49461ba8a9b6736">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/380545bf85cbf17fc698d136815b7691f8d023ca">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-april-21-2014-cve-2014-0474">
<span id="april-21-2014-cve-2014-0474"></span><h3>April 21, 2014 - CVE-2014-0474<a class="headerlink" href="#april-21-2014-cve-2014-0474" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0474&amp;cid=2">CVE-2014-0474</a>: MySQL typecasting causes unexpected query results. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/apr/21/security/">Full description</a></p>
<div class="section" id="s-id34">
<span id="id34"></span><h4>Versions affected<a class="headerlink" href="#id34" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/34526c2f56b863c2103655a0893ac801667e86ea">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-18-2014-cve-2014-1418">
<span id="may-18-2014-cve-2014-1418"></span><h3>May 18, 2014 - CVE-2014-1418<a class="headerlink" href="#may-18-2014-cve-2014-1418" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1418&amp;cid=2">CVE-2014-1418</a>: Caches may be allowed to store and serve private data. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id35">
<span id="id35"></span><h4>Versions affected<a class="headerlink" href="#id35" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/4001ec8698f577b973c5a540801d8a0bbea1205b">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/1abcf3a808b35abae5d425ed4d44cb6e886dc769">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/7fef18ba9e5a8b47bc24b5bb259c8bf3d3879f2a">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-may-18-2014-cve-2014-3730">
<span id="may-18-2014-cve-2014-3730"></span><h3>May 18, 2014 - CVE-2014-3730<a class="headerlink" href="#may-18-2014-cve-2014-3730" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3730&amp;cid=2">CVE-2014-3730</a>: Malformed URLs from user input incorrectly validated. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/">Full description</a></p>
<div class="section" id="s-id36">
<span id="id36"></span><h4>Versions affected<a class="headerlink" href="#id36" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/e7b0cace455c2da24492660636bfd48c45a19cdf">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0480">
<span id="august-20-2014-cve-2014-0480"></span><h3>August 20, 2014 - CVE-2014-0480<a class="headerlink" href="#august-20-2014-cve-2014-0480" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0480&amp;cid=2">CVE-2014-0480</a>: reverse() can generate URLs pointing to other hosts. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id37">
<span id="id37"></span><h4>Versions affected<a class="headerlink" href="#id37" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c2fe73133b62a1d9e8f7a6b43966570b14618d7e">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/45ac9d4fb087d21902469fc22643f5201d41a0cd">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/da051da8df5e69944745072611351d4cfc6435d5">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/bf650a2ee78c6d1f4544a875dcc777cf27fe93e9">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0481">
<span id="august-20-2014-cve-2014-0481"></span><h3>August 20, 2014 - CVE-2014-0481<a class="headerlink" href="#august-20-2014-cve-2014-0481" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0481&amp;cid=2">CVE-2014-0481</a>: File upload denial of service. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id38">
<span id="id38"></span><h4>Versions affected<a class="headerlink" href="#id38" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/30042d475bf084c6723c6217a21598d9247a9c41">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/26cd48e166ac4d84317c8ee6d63ac52a87e8da99">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/dd0c3f4ee1a30c1a1e6055061c6ba6e58c6b54d1">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/3123f8452cf49071be9110e277eea60ba0032216">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0482">
<span id="august-20-2014-cve-2014-0482"></span><h3>August 20, 2014 - CVE-2014-0482<a class="headerlink" href="#august-20-2014-cve-2014-0482" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0482&amp;cid=2">CVE-2014-0482</a>: RemoteUserMiddleware session hijacking. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id39">
<span id="id39"></span><h4>Versions affected<a class="headerlink" href="#id39" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/c9e3b9949cd55f090591fbdc4a114fcb8368b6d9">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/dd68f319b365f6cb38c5a6c106faf4f6142d7d88">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/0268b855f9eab3377f2821164ef3e66037789e09">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/1a45d059c70385fcd6f4a3955f3b4e4cc96d0150">(patch)</a></li>
</ul>
</div>
</div>
<div class="section" id="s-august-20-2014-cve-2014-0483">
<span id="august-20-2014-cve-2014-0483"></span><h3>August 20, 2014 - CVE-2014-0483<a class="headerlink" href="#august-20-2014-cve-2014-0483" title="Permalink to this headline">¶</a></h3>
<p><a class="reference external" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0483&amp;cid=2">CVE-2014-0483</a>: Data leakage via querystring manipulation in admin. <a class="reference external" href="https://www.djangoproject.com/weblog/2014/aug/20/security/">Full description</a></p>
<div class="section" id="s-id40">
<span id="id40"></span><h4>Versions affected<a class="headerlink" href="#id40" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>Django 1.4 <a class="reference external" href="https://github.com/django/django/commit/027bd348642007617518379f8b02546abacaa6e0">(patch)</a></li>
<li>Django 1.5 <a class="reference external" href="https://github.com/django/django/commit/2a446c896e7c814661fb9c4f212b071b2a7fa446">(patch)</a></li>
<li>Django 1.6 <a class="reference external" href="https://github.com/django/django/commit/f7c494f2506250b8cb5923714360a3642ed63e0f">(patch)</a></li>
<li>Django 1.7 <a class="reference external" href="https://github.com/django/django/commit/2b31342cdf14fc20e07c43d258f1e7334ad664a6">(patch)</a></li>
</ul>
</div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Archive of security issues</a><ul>
<li><a class="reference internal" href="#issues-prior-to-django-s-security-process">Issues prior to Django&#8217;s security process</a><ul>
<li><a class="reference internal" href="#august-16-2006-cve-2007-0404">August 16, 2006 - CVE-2007-0404</a><ul>
<li><a class="reference internal" href="#versions-affected">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#january-21-2007-cve-2007-0405">January 21, 2007 - CVE-2007-0405</a><ul>
<li><a class="reference internal" href="#id1">Versions affected</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#issues-under-django-s-security-process">Issues under Django&#8217;s security process</a><ul>
<li><a class="reference internal" href="#october-26-2007-cve-2007-5712">October 26, 2007 - CVE-2007-5712</a><ul>
<li><a class="reference internal" href="#id2">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-14-2008-cve-2008-2302">May 14, 2008 - CVE-2008-2302</a><ul>
<li><a class="reference internal" href="#id3">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-2-2008-cve-2008-3909">September 2, 2008 - CVE-2008-3909</a><ul>
<li><a class="reference internal" href="#id4">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-28-2009-cve-2009-2659">July 28, 2009 - CVE-2009-2659</a><ul>
<li><a class="reference internal" href="#id5">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-9-2009-cve-2009-3965">October 9, 2009 - CVE-2009-3965</a><ul>
<li><a class="reference internal" href="#id6">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-8-2010-cve-2010-3082">September 8, 2010 - CVE-2010-3082</a><ul>
<li><a class="reference internal" href="#id7">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-22-2010-cve-2010-4534">December 22, 2010 - CVE-2010-4534</a><ul>
<li><a class="reference internal" href="#id8">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-22-2010-cve-2010-4535">December 22, 2010 - CVE-2010-4535</a><ul>
<li><a class="reference internal" href="#id9">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0696">February 8, 2011 - CVE-2011-0696</a><ul>
<li><a class="reference internal" href="#id10">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0697">February 8, 2011 - CVE-2011-0697</a><ul>
<li><a class="reference internal" href="#id11">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-8-2011-cve-2011-0698">February 8, 2011 - CVE-2011-0698</a><ul>
<li><a class="reference internal" href="#id12">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4136">September 9, 2011 - CVE-2011-4136</a><ul>
<li><a class="reference internal" href="#id13">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4137">September 9, 2011 - CVE-2011-4137</a><ul>
<li><a class="reference internal" href="#id14">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4138">September 9, 2011 - CVE-2011-4138</a><ul>
<li><a class="reference internal" href="#id15">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4139">September 9, 2011 - CVE-2011-4139</a><ul>
<li><a class="reference internal" href="#id16">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-9-2011-cve-2011-4140">September 9, 2011 - CVE-2011-4140</a><ul>
<li><a class="reference internal" href="#id17">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3442">July 30, 2012 - CVE-2012-3442</a><ul>
<li><a class="reference internal" href="#id18">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3443">July 30, 2012 - CVE-2012-3443</a><ul>
<li><a class="reference internal" href="#id19">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#july-30-2012-cve-2012-3444">July 30, 2012 - CVE-2012-3444</a><ul>
<li><a class="reference internal" href="#id20">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#october-17-2012-cve-2012-4520">October 17, 2012 - CVE-2012-4520</a><ul>
<li><a class="reference internal" href="#id21">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-10-2012-no-cve-1">December 10, 2012 - No CVE 1</a><ul>
<li><a class="reference internal" href="#id22">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#december-10-2012-no-cve-2">December 10, 2012 - No CVE 2</a><ul>
<li><a class="reference internal" href="#id23">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-no-cve">February 19, 2013 - No CVE</a><ul>
<li><a class="reference internal" href="#id24">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-1664-1665">February 19, 2013 - CVE-2013-1664/1665</a><ul>
<li><a class="reference internal" href="#id25">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-0305">February 19, 2013 - CVE-2013-0305</a><ul>
<li><a class="reference internal" href="#id26">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#february-19-2013-cve-2013-0306">February 19, 2013 - CVE-2013-0306</a><ul>
<li><a class="reference internal" href="#id27">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-13-2013-awaiting-cve-1">August 13, 2013 - Awaiting CVE 1</a><ul>
<li><a class="reference internal" href="#id28">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-13-2013-awaiting-cve-2">August 13, 2013 - Awaiting CVE 2</a><ul>
<li><a class="reference internal" href="#id29">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-10-2013-cve-2013-4315">September 10, 2013 - CVE-2013-4315</a><ul>
<li><a class="reference internal" href="#id30">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#september-14-2013-cve-2013-1443">September 14, 2013 - CVE-2013-1443</a><ul>
<li><a class="reference internal" href="#id31">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0472">April 21, 2014 - CVE-2014-0472</a><ul>
<li><a class="reference internal" href="#id32">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0473">April 21, 2014 - CVE-2014-0473</a><ul>
<li><a class="reference internal" href="#id33">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#april-21-2014-cve-2014-0474">April 21, 2014 - CVE-2014-0474</a><ul>
<li><a class="reference internal" href="#id34">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-18-2014-cve-2014-1418">May 18, 2014 - CVE-2014-1418</a><ul>
<li><a class="reference internal" href="#id35">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#may-18-2014-cve-2014-3730">May 18, 2014 - CVE-2014-3730</a><ul>
<li><a class="reference internal" href="#id36">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0480">August 20, 2014 - CVE-2014-0480</a><ul>
<li><a class="reference internal" href="#id37">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0481">August 20, 2014 - CVE-2014-0481</a><ul>
<li><a class="reference internal" href="#id38">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0482">August 20, 2014 - CVE-2014-0482</a><ul>
<li><a class="reference internal" href="#id39">Versions affected</a></li>
</ul>
</li>
<li><a class="reference internal" href="#august-20-2014-cve-2014-0483">August 20, 2014 - CVE-2014-0483</a><ul>
<li><a class="reference internal" href="#id40">Versions affected</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>

  <h3>Browse</h3>
  <ul>
    
      <li>Prev: <a href="0.95.html">Django version 0.95 release notes</a></li>
    
    
      <li>Next: <a href="../internals/index.html">Django internals</a></li>
    
  </ul>
  <h3>You are here:</h3>
  <ul>
      <li>
        <a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a>
        
          <ul><li><a href="index.html">Release notes</a>
        
        <ul><li>Archive of security issues</li></ul>
        </li></ul>
      </li>
  </ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/releases/security.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Apr 02, 2015</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="0.95.html" title="Django version 0.95 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="../internals/index.html" title="Django internals">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>